F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : November_17th





NAME:November_17th
ALIAS:Int83, BigMouse, November, 800
TYPE:Resident COM/EXE-files
ORIGIN:Italy
SIZE:522-1061
REPAIR:Most members of this family

The November_17th virus family has several members:

VARIANT:November_17th.584
SIZE:584

This virus seems to one of the earliest versions of November 17 as it only infects COM files. The virus will attempt to infect all COM programs that are executed with the following exceptions:

o File is smaller than 16 bytes or larger than 63,488 bytes.

Every Wednesday between 1PM and 5PM, the virus will attempt to erase the CMOS (if present). Every time a key is pressed, a series of descending notes will be produced by the speaker.

VARIANT:November_17th.690
SIZE:690

This variant attempts to infect any COM or EXE which is executed with the following exceptions:

o COM files bigger than 61,440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical 

   length (e.g. Programs with internal overlays)
o EXE programs which allocate less than 10 paragraphs (Bait programs)

On the 8th of July, the virus will attempt to overwrite the first 8 sectors of the current drive. Network drives are not affected. Due to an error in the virus the computer may crash after the payload has benn activated.

VARIANT:November_17th.706
SIZE:706

This virus will attempt to infect all COM and EXE programs that are executed with the following exceptions:

o COM files bigger than 61440 bytes or smaller than 16 bytes o EXE programs whose declared length is different from it's physical 

   length (e.g. Programs with internal overlays)
o EXE programs that allocate less than 10 paragraphs of memory (e.g. Bait 
   programs)

On the first of any month the first will attempt to overwrite the first 11 sectors of the current drive. Due to an error in the virus code, the only drives to be affected are A:, B: and drives E: to Z:. Network drives will not be affected.

VARIANT:November_17th.768
SIZE:768

This variant will attempt to infect all COM and EXE files that are executed with the following exceptions:

o McAfee's SCAN and CLEAN programs o Any COM file bigger than 60,000 bytes o EXE programs that allocate less than 20 paragraphs of memory (Bait 

   programs)

If the current date is between the 17th and 30th of November the virus overwites the first 8 sectors of the current drive, making the disk unbootable.

VARIANT:November_17th.800.A
SIZE:800

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o System files are not infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial 

   length (Programs with internal overlays)
o EXE programs which allocate less than 20 paragraphs of memory (Bait 
   programs)

The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November. Network drives will not be affected.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXE

VARIANT:November_17th.855.A
SIZE:855

This particular variant of November 17 is probably one of the most common viruses in Italy.

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial 

   length (Programs with internal overlays)
o EXE programs which allocate less than 20 paragraphs of memory (Bait 
   programs)

The virus will overwrite the first 8 sectors of the current drive on any day between the 17th and 30th of November after 500 keypresses. Network drives will not be affected.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXE

VARIANT:November_17th.880
SIZE:880

Any file that is opened, executed or has is attributes changed is liable for infection with some exceptions:

o McAfee's SCAN and CLEAN will not be infected. o COM files larger than 60,000 bytes will not be infected. o EXE programs whose declared length is different from it's physicial 

   length (Programs with internal overlays)
o EXE programs which allocate less than 30 paragraphs of memory (Bait 
   programs)

The virus will overwrite the first 4 sectors of the current drive on any day between the 17th and 31st of October after 100 keypresses. Network drives will not be affected.

Certain instructions have been reordered in this virus probably to prevent detection by existing signatures for other November 17 variants.

The following text strings can be found at the end of all infected files:

SCAN.CLEAN.COMEXEAMZ

[Analysis: Jeremy Gumbley, Symbolic, Italy]